New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix ynhpanel.js access in unprotected case #119
base: stretch
Are you sure you want to change the base?
Conversation
Wow that looks quite technical and must have been painful to debug x_x Thanks a lot for this, I'll have a look at some point |
I tested this today and it doesnt work 100% :/ ...
Looking deeper in the code to understand the original issue, I realize that the way we handle multi-domain with the SSO is really confusing. In particular, for what I understand, one of the root cause of the issue is that we can't really check if the user is logged in when browsing Dunno if I'm stretching this too far but I opened a discussion on the forum : https://forum.yunohost.org/t/call-for-feedback-sso-portal-in-multi-domain-context-how-should-it-work/7491 |
Yes it's what I understood when I worked on this issue. Considering that the user is authenticated on
|
Hello, I did some new test and my conclusion is that it's not possible by this way. The initial idea was to do the "cross domain authentication" in the background of the browser. The problem with this is that the cookie stored by ssowat with the parameter So the only way to fix this case of unprotected-url is to do a redirection in foreground as same as with the protected-url. By example one idea could be to implement this mechanism:
But yes it look like quite complex for not a big feature... The other easy way is just to remove the |
Problem
To reproduce this bug you need this :
a.tld
(as the main yunohost domain)b.tld
b.tld
wich use the "unprotected_uri" and which show the "Yunohost tile".a.tld
.b.tld/
.This happen because SSOwat don't detect any cookies for
b.tld
, so it considere the client as not authenticated.Solution
Force SSOwat to reauthenticate the user for
b.tld
by a redirection. Note that process already work when the app is not installed in the root of the domain.